When it comes to Samsung’s fingerprint scanner technology embedded in the home button on the new Galaxy S5, there’s good news and bad news. The good news is that we have spent plenty of time testing it, and we’ve found that it works very well. The bad news, however, is that it has apparently already been hacked, leaving Galaxy S5 owners’ devices and their PayPal accounts at risk.

As noted by German-language security blog H Security, SRLabs has posted video evidence that the fingerprint scanner on Samsung’s Galaxy S5 can easily be spoofed using a lifted print. In mere minutes, the group was able to create a “dummy finger” using an actual fingerprint to gain unauthorized access to the phone.

Some might recall that Apple’s iPhone 5s fingerprint scanner was hacked using the same method. As SRLabs points out, however, the Galaxy S5’s fingerprint security implementation makes this hack far more dangerous.

With Apple’s Touch ID system, owners are required to input their password one time before using a fingerprint for authentication. The password must be used again once each time the device is rebooted. This extra step seems annoying, but it prevents the very spoof achieved by SRLabs.

On Samsung’s Galaxy S5, however, no password is needed to access the device. Even after a reboot, a simple swipe of a finger will unlock the phone. And what could be much more alarming is the fact that, even after a reboot, you don’t need a password to access PayPal and make payments through the app if it has been configured for fingerprint authentication.